It’s not unusual for movies, actors, and actresses to serve as lures in cyber attacks. Our recent post on “Spider-Man: No Way Home” proved that. Phishers and other threat actors will, unfortunately, try to capitalize on anything that’s bound to get a lot of user attention. And the annual Oscar Awards is no stranger to such a scenario. Just last year, in fact, hackers used nominated films as phishing baits. This year may be no different.

We hope to forewarn users of such a threat this time, though. So we collected a list of domains and subdomains containing the titles of the movies and names of actors and actresses competing for Oscar awards this year.

Our deep dive resulted in interesting findings, including:

• Almost 5% of the domains containing the best picture, actor, and actress contenders were dubbed “dangerous” by various malware engines.
• The malicious web properties we found so far resolved to seven unique IP addresses, one of which turned out to be malicious, too.
• As expected, several of the domains and subdomains analyzed were newly registered, likely since predictions of contenders were announced.

As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated all pertinent data and made it available to anyone interested. You may download the related threat research materials here.

What Our Analysis Revealed

We began our investigation by collating lists of domains and subdomains containing the strings in the table below via Domains & Subdomains Discovery.

While 10 movies are up for the Best Picture title, we didn’t find domains and subdomains containing strings for “Don’t Look Up” and “Drive My Car.” That said, we still found 159 sites (103 domains and 56 subdomains) containing the movie string combinations listed above. We also found 3,430 pages (1,994 domains and 1,436 subdomains) indicating ties to the five best actor nominees and 5,472 sites (1,556 domains and 3,916 subdomains) showing connections to the five best actress contenders.

It’s also interesting to note that the more popular an actor or actress is, the more domains and subdomains there were dedicated to them. Take a look at the comparisons between their web property volumes and Google Trends reports below.

While very few of the web properties were dubbed “dangerous” by various malware engines, five domains and four subdomains to be exact, to date, more of them could be compromised and weaponized as the Oscars 2022 fever continues until the show gets aired on 27 March. The malicious web properties, after a bulk malware check via the Threat Intelligence Platform (TIP), are listed below.

Running the malicious web properties through a bulk DNS lookup revealed that they resolved to eight IP addresses. One IP host 34[.]102[.]136[.]180 (for willsmithcreative[.]com) should especially be avoided, as it was deemed malicious by several malware engines.

Interestingly, though, even if seven of the shared IP hosts weren’t tagged “dangerous,” at least two of them (since our list of connected domains were limited to five each) hosted malicious domains. For those who use IP-level blocking, blacklisting 216[.]10[.]249[.]8 and 198[.]54[.]115[.]140, apart from the malicious web properties identified above, could be a good idea. These ties show why expanding initial lists of indicators of compromise (IoCs) and artifacts is critical if users wish to employ utmost protection.

A bulk WHOIS lookup for the 3,653 domains showed that 29 of them were newly registered. While we can’t be sure, that could have a lot to do with the contenders’ recent Oscar nominations.

Many people are bound to look for sites containing more information on the Oscars 2022 nominees. And while none of the movie-themed web properties are tagged “malicious” now, threat actors could poison them. Some who may wish to stream or download copies of the movies may end up with malware infections instead. And those who want to learn more about the actors and actresses should stay away from the dangerous domains, subdomains, and IP addresses mentioned here.

If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.